Fixing annoying password typos during login

rchatterjee, updated 🕥 2022-01-21 19:21:18

MISTYPOGRAPHY

This module implements different typo correction strategies discussed in https://www.cs.cornell.edu/~rahul/papers/pwtypos.pdf. For more details please refer to the project page https://www.cs.cornell.edu/~rahul/projects/pwtypos.html.

REQUIREMENTS

  • Install pwmodel from here bash $ pip install git+https://github.com/rchatterjee/pwmodels.git This should install all the dependencies, if not, you may have to install python-Levenshtein. bash $ pip install python-Levenshtein

INSTALL

bash $ pip install git+https://github.com/rchatterjee/mistypography.git

HOW TO USE?

To allow online typo correction, a set of corrected version of the mistyped password is created, and then each of them is tested against the real password hash. This code only generates the possible set of corrections (a.k.a. ball). The simplest way to do this is to use one of the built-in checkers (BUILT_IN_CHECKERS) in typofixer/checker.py file. Descriptions of these checkers is given in the checker.py file.

You can also instantiate your own Checker. To instanticate a checker we need two arguments, first, a set of correctors which you can see the names given in common.py, and second, a policy number which will tune the checker to use one of the given policies (ChkAll, ChkBl etc.).

Note, the checker needs the data directory to be in the same folder. You can move the data directory and change path DATA_DIR_PATH in common.py accordingly.

```bash $ python Python 2.7.6 (default, Jun 22 2015, 17:58:13) [GCC 4.8.2] on linux2 Type "help", "copyright", "credits" or "license" for more information.

from typofixer.checker import BUILT_IN_CHECKERS

chk = BUILT_IN_CHECKERS['ChkAllTop3']

chk = BUILT_IN_CHECKERS['ChkAllTop3']

chk.check('password') set(['passwor', 'Password', 'PASSWORD', 'password'])

chk_bl = BUILT_IN_CHECKERS['ChkBlTop3']

chk_bl.check('password') set(['passwor', 'password'])

chk_all = BUILT_IN_CHECKERS['ChkAllTop5']

chk_all.check('password1') set(['assword1', 'PASSWORD1', 'Password1', 'password!', 'password', 'password1'])

```

CONTACT

Rahul Chatterjee ([email protected])

Issues

Bump ipython from 4.1.2 to 7.16.3

opened on 2022-01-21 19:21:18 by dependabot[bot]

Bumps ipython from 4.1.2 to 7.16.3.

Commits


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/rchatterjee/mistypography/network/alerts).

Bump py from 1.4.31 to 1.10.0

opened on 2021-04-20 17:11:55 by dependabot[bot]

Bumps py from 1.4.31 to 1.10.0.

Changelog

Sourced from py's changelog.

1.10.0 (2020-12-12)

  • Fix a regular expression DoS vulnerability in the py.path.svnwc SVN blame functionality (CVE-2020-29651)
  • Update vendored apipkg: 1.4 => 1.5
  • Update vendored iniconfig: 1.0.0 => 1.1.1

1.9.0 (2020-06-24)

  • Add type annotation stubs for the following modules:

    • py.error
    • py.iniconfig
    • py.path (not including SVN paths)
    • py.io
    • py.xml

    There are no plans to type other modules at this time.

    The type annotations are provided in external .pyi files, not inline in the code, and may therefore contain small errors or omissions. If you use py in conjunction with a type checker, and encounter any type errors you believe should be accepted, please report it in an issue.

1.8.2 (2020-06-15)

  • On Windows, py.path.locals which differ only in case now have the same Python hash value. Previously, such paths were considered equal but had different hashes, which is not allowed and breaks the assumptions made by dicts, sets and other users of hashes.

1.8.1 (2019-12-27)

  • Handle FileNotFoundError when trying to import pathlib in path.common on Python 3.4 (#207).

  • py.path.local.samefile now works correctly in Python 3 on Windows when dealing with symlinks.

1.8.0 (2019-02-21)

  • add "importlib" pyimport mode for python3.5+, allowing unimportable test suites to contain identically named modules.

  • fix LocalPath.as_cwd() not calling os.chdir() with None, when being invoked from a non-existing directory.

... (truncated)

Commits
  • e5ff378 Update CHANGELOG for 1.10.0
  • 94cf44f Update vendored libs
  • 5e8ded5 testing: comment out an assert which fails on Python 3.9 for now
  • afdffcc Rename HOWTORELEASE.rst to RELEASING.rst
  • 2de53a6 Merge pull request #266 from nicoddemus/gh-actions
  • fa1b32e Merge pull request #264 from hugovk/patch-2
  • 887d6b8 Skip test_samefile_symlink on pypy3 on Windows
  • e94e670 Fix test_comments() in test_source
  • fef9a32 Adapt test
  • 4a694b0 Add GitHub Actions badge to README
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/rchatterjee/mistypography/network/alerts).

Upgrade DAWG & pwmodels dependencies

opened on 2021-03-12 08:18:39 by ppartarr None

Remove unused variables & functions

opened on 2021-03-12 07:53:00 by ppartarr
  • max neighbourhood n size is never used
  • tpw_done & guess_list serve the same purpose, so remove tpw_done
  • estimated_ball_weight is always positive (product of probability and the size of ball)
  • function test_success_rate is never called

Question about lambda greedy calculation

opened on 2021-02-17 07:42:50 by ppartarr

Hi @rchatterjee,

I really like your work on typo correction! I read your 2016 paper and I've been digging through the code to try and understand it better.

I am curious about how the security loss lambda q greedy is calculated for the various checkers. After solving the best-q-guesses problem in your experiment, you sum the probability of the union ball for every password in the best greedy guesses:

https://github.com/rchatterjee/mistypography/blob/f0fb62cdc42bcd2f4e0881cdeaccfa640edd0b20/security/compute_sec_loss.ver1.py#L207

https://github.com/rchatterjee/mistypography/blob/f0fb62cdc42bcd2f4e0881cdeaccfa640edd0b20/security/compute_secloss.py#L30

I understand that the union ball would be the checked ball for the always checker but this isn't the case for the blacklist & optimal checkers. It seems to me that lambda q greedy should be calculated using the checked ball with typofixer.check(password) | set([password]).

Looking forward to hearing back from you!

Rahul Chatterjee
GitHub Repository